On Fri, 28 Oct 2005, Michal Ludvig wrote:
1) In "active" mode the packet sent to the server contains "PORT
192.168.0.137,<port>" which isn't translated to 192.168.0.160 in the
SNAT rule and the server responds with "500 Illegal PORT command."
You need to load the ip_nat_ftp module for this to work..
2) In "passive" mode both sides negotiate random ports but such a
connection isn't cought by the MARK rule and is sent over eth0 with src
address 192.168.0.137. Obviously the ftp server responds with "425
Security: Bad IP connecting."
CONNMARK can help you with this. So can the helper match. CONNMARK is
probably easier..
I have finally found a hlaf-working dirty solution:
# iptables -t mangle -A OUTPUT -p tcp -d 192.168.157.21 \
-m state --state RELATED -j MARK --set-mark 6
However this would affect all RELATED connections, not only FTP ones
(well, that's likely not a huge problem but still :-) and it works with
active ftp only which could be a serious problem.
Note: The above rule only matches the very first packet on a related
connection (i.e. the initial SYN of an FTP data channel).
Regards
Henrik
